Supabase Security
Supabase is the default backend for most vibe-coded apps, so its security is the whole game. RLS, the anon vs service_role keys, storage buckets — what actually leaks, and what only looks scary.
8 articles
Supabase Security for AI-Built Apps: The Complete Guide
A plain-English guide to Supabase security for AI-built apps. Learn the real risks — RLS, service keys, storage buckets — and how to check your own app today.
CVE-2025-48757 Explained: How 170 Apps Leaked Through One Missing Policy
CVE-2025-48757 explained for non-developers: how 170 Lovable-built apps leaked real data through missing Supabase RLS — and how to check if yours did too.
Is My Supabase Exposed? Check It in 5 Minutes
Worried your Supabase data is exposed? Run this 5-minute self-audit: check RLS on every table, query your endpoints as a stranger, and spot USING(true) policies.
service_role vs anon Key: Which One Actually Ends Your Company
service_role vs anon key in Supabase: the anon key is safe in the browser, but a leaked service_role key bypasses all RLS. How to tell them apart and what to do.
Supabase RLS Explained: It's a WHERE Clause on Every Query
Supabase RLS in plain English: it's a WHERE clause your database adds to every query. Learn how Row Level Security works, why AI tools skip it, and how to check yours.
Supabase Storage Buckets: The Public-by-Default Mistake
Supabase storage security in plain English: how public buckets expose user photos, IDs, and receipts, how storage RLS works, and how to check your buckets.
Testing RLS the Right Way: anon, owner, and other-user
Learn how to test Supabase RLS for real using three personas — anon, owner, and other-user — with copy-paste curl and supabase-js examples. See a pass vs a leak.
The USING(true) Trap: RLS That Passes the Scan but Leaks Everything
One of the worst Supabase RLS mistakes: a USING(true) policy looks enabled but leaks every row. Learn why AI tools generate it and how to rewrite it safely.